image-pruning: add daemonsets to the graph

Signed-off-by: Michal Minář <[email protected]>

Author: Michal Minář

pkg/apps/graph/nodes/nodes.go

@@ -3,13 +3,42 @@ package nodes
 import (
 	"github.com/gonum/graph"
 
+	kapisext "k8s.io/kubernetes/pkg/apis/extensions"
+
 	osgraph "github.com/openshift/origin/pkg/api/graph"
 	kubegraph "github.com/openshift/origin/pkg/api/kubegraph/nodes"
-	depoyapi "github.com/openshift/origin/pkg/apps/apis/apps"
+	deployapi "github.com/openshift/origin/pkg/apps/apis/apps"
 )
 
+// EnsureDaemonSetNode adds the provided deployment config to the graph if it does not exist
+func EnsureDaemonSetNode(g osgraph.MutableUniqueGraph, ds *kapisext.DaemonSet) *DaemonSetNode {
+	dsName := DaemonSetNodeName(ds)
+	dsNode := osgraph.EnsureUnique(
+		g,
+		dsName,
+		func(node osgraph.Node) graph.Node {
+			return &DaemonSetNode{Node: node, DaemonSet: ds, IsFound: true}
+		},
+	).(*DaemonSetNode)
+
+	podTemplateSpecNode := kubegraph.EnsurePodTemplateSpecNode(g, &ds.Spec.Template, ds.Namespace, dsName)
+	g.AddEdge(dsNode, podTemplateSpecNode, osgraph.ContainsEdgeKind)
+
+	return dsNode
+}
+
+func FindOrCreateSyntheticDaemonSetNode(g osgraph.MutableUniqueGraph, ds *kapisext.DaemonSet) *DaemonSetNode {
+	return osgraph.EnsureUnique(
+		g,
+		DaemonSetNodeName(ds),
+		func(node osgraph.Node) graph.Node {
+			return &DaemonSetNode{Node: node, DaemonSet: ds, IsFound: false}
+		},
+	).(*DaemonSetNode)
+}
+
 // EnsureDeploymentConfigNode adds the provided deployment config to the graph if it does not exist
-func EnsureDeploymentConfigNode(g osgraph.MutableUniqueGraph, dc *depoyapi.DeploymentConfig) *DeploymentConfigNode {
+func EnsureDeploymentConfigNode(g osgraph.MutableUniqueGraph, dc *deployapi.DeploymentConfig) *DeploymentConfigNode {
 	dcName := DeploymentConfigNodeName(dc)
 	dcNode := osgraph.EnsureUnique(
 		g,
@@ -27,7 +56,7 @@ func EnsureDeploymentConfigNode(g osgraph.MutableUniqueGraph, dc *depoyapi.Deplo
 	return dcNode
 }
 
-func FindOrCreateSyntheticDeploymentConfigNode(g osgraph.MutableUniqueGraph, dc *depoyapi.DeploymentConfig) *DeploymentConfigNode {
+func FindOrCreateSyntheticDeploymentConfigNode(g osgraph.MutableUniqueGraph, dc *deployapi.DeploymentConfig) *DeploymentConfigNode {
 	return osgraph.EnsureUnique(
 		g,
 		DeploymentConfigNodeName(dc),

pkg/apps/graph/nodes/types.go

@@ -3,14 +3,44 @@ package nodes
 import (
 	"reflect"
 
+	kapisext "k8s.io/kubernetes/pkg/apis/extensions"
+
 	osgraph "github.com/openshift/origin/pkg/api/graph"
 	deployapi "github.com/openshift/origin/pkg/apps/apis/apps"
 )
 
 var (
+	DaemonSetNodeKind        = reflect.TypeOf(kapisext.DaemonSet{}).Name()
 	DeploymentConfigNodeKind = reflect.TypeOf(deployapi.DeploymentConfig{}).Name()
 )
 
+func DaemonSetNodeName(o *kapisext.DaemonSet) osgraph.UniqueName {
+	return osgraph.GetUniqueRuntimeObjectNodeName(DaemonSetNodeKind, o)
+}
+
+type DaemonSetNode struct {
+	osgraph.Node
+	DaemonSet *kapisext.DaemonSet
+
+	IsFound bool
+}
+
+func (n DaemonSetNode) Found() bool {
+	return n.IsFound
+}
+
+func (n DaemonSetNode) Object() interface{} {
+	return n.DaemonSet
+}
+
+func (n DaemonSetNode) String() string {
+	return string(DaemonSetNodeName(n.DaemonSet))
+}
+
+func (*DaemonSetNode) Kind() string {
+	return DaemonSetNodeKind
+}
+
 func DeploymentConfigNodeName(o *deployapi.DeploymentConfig) osgraph.UniqueName {
 	return osgraph.GetUniqueRuntimeObjectNodeName(DeploymentConfigNodeKind, o)
 }

pkg/cmd/server/bootstrappolicy/policy.go

@@ -551,6 +551,7 @@ func GetOpenshiftBootstrapClusterRoles() []rbac.ClusterRole {
 				rbac.NewRule("list").Groups(kapiGroup).Resources("limitranges").RuleOrDie(),
 				rbac.NewRule("get", "list").Groups(buildGroup, legacyBuildGroup).Resources("buildconfigs", "builds").RuleOrDie(),
 				rbac.NewRule("get", "list").Groups(deployGroup, legacyDeployGroup).Resources("deploymentconfigs").RuleOrDie(),
+				rbac.NewRule("get", "list").Groups(extensionsGroup).Resources("daemonsets").RuleOrDie(),
 
 				rbac.NewRule("delete").Groups(imageGroup, legacyImageGroup).Resources("images").RuleOrDie(),
 				rbac.NewRule("get", "list").Groups(imageGroup, legacyImageGroup).Resources("images", "imagestreams").RuleOrDie(),

pkg/image/prune/prune.go

@@ -21,6 +21,7 @@ import (
 	kerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/sets"
 	kapi "k8s.io/kubernetes/pkg/api"
+	kapisext "k8s.io/kubernetes/pkg/apis/extensions"
 	"k8s.io/kubernetes/pkg/client/retry"
 
 	"github.com/openshift/origin/pkg/api/graph"
@@ -134,8 +135,9 @@ type PrunerOptions struct {
 	BCs *buildapi.BuildConfigList
 	// Builds is the entire list of builds across all namespaces in the cluster.
 	Builds *buildapi.BuildList
-	// DCs is the entire list of deployment configs across all namespaces in the
-	// cluster.
+	// DSs is the entire list of daemon sets across all namespaces in the cluster.
+	DSs *kapisext.DaemonSetList
+	// DCs is the entire list of deployment configs across all namespaces in the cluster.
 	DCs *deployapi.DeploymentConfigList
 	// LimitRanges is a map of LimitRanges across namespaces, being keys in this map.
 	LimitRanges map[string][]*kapi.LimitRange
@@ -183,7 +185,7 @@ var _ Pruner = &pruner{}
 // defined in their namespace will be considered for pruning. Important to note is
 // the fact that this flag does not work in any combination with the keep* flags.
 //
-// images, streams, pods, rcs, bcs, builds, and dcs are the resources used to run
+// images, streams, pods, rcs, bcs, builds, daemonsets and dcs are the resources used to run
 // the pruning algorithm. These should be the full list for each type from the
 // cluster; otherwise, the pruning algorithm might result in incorrect
 // calculations and premature pruning.
@@ -198,6 +200,7 @@ var _ Pruner = &pruner{}
 // - any running pods
 // - any pending pods
 // - any replication controllers
+// - any daemonsets
 // - any deployment configs
 // - any build configs
 // - any builds
@@ -242,6 +245,7 @@ func NewPruner(options PrunerOptions) (Pruner, error) {
 	if err := addBuildsToGraph(g, options.Builds); err != nil {
 		return nil, err
 	}
+	addDaemonSetsToGraph(g, options.DSs)
 	addDeploymentConfigsToGraph(g, options.DCs)
 
 	return &pruner{
@@ -472,6 +476,19 @@ func addReplicationControllersToGraph(g graph.Graph, rcs *kapi.ReplicationContro
 	}
 }
 
+// addDaemonSetsToGraph adds daemon set to the graph.
+//
+// Edges are added to the graph from each daemon set to the images specified by its pod spec's list of
+// containers, as long as the image is managed by OpenShift.
+func addDaemonSetsToGraph(g graph.Graph, dss *kapisext.DaemonSetList) {
+	for i := range dss.Items {
+		ds := &dss.Items[i]
+		glog.V(4).Infof("Examining DaemonSet %s", getName(ds))
+		dsNode := deploygraph.EnsureDaemonSetNode(g, ds)
+		addPodSpecToGraph(g, &ds.Spec.Template.Spec, dsNode)
+	}
+}
+
 // addDeploymentConfigsToGraph adds deployment configs to the graph.
 //
 // Edges are added to the graph from each deployment config to the images

pkg/image/prune/prune_test.go

@@ -21,6 +21,7 @@ import (
 	"k8s.io/client-go/rest/fake"
 	clientgotesting "k8s.io/client-go/testing"
 	kapi "k8s.io/kubernetes/pkg/api"
+	kapisext "k8s.io/kubernetes/pkg/apis/extensions"
 	"k8s.io/kubernetes/staging/src/k8s.io/apimachinery/pkg/util/diff"
 
 	"github.com/openshift/origin/pkg/api/graph"
@@ -244,6 +245,26 @@ func rc(namespace, name string, containerImages ...string) kapi.ReplicationContr
 	}
 }
 
+func dsList(dss ...kapisext.DaemonSet) kapisext.DaemonSetList {
+	return kapisext.DaemonSetList{
+		Items: dss,
+	}
+}
+
+func ds(namespace, name string, containerImages ...string) kapisext.DaemonSet {
+	return kapisext.DaemonSet{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: namespace,
+			Name:      name,
+		},
+		Spec: kapisext.DaemonSetSpec{
+			Template: kapi.PodTemplateSpec{
+				Spec: podSpec(containerImages...),
+			},
+		},
+	}
+}
+
 func dcList(dcs ...deployapi.DeploymentConfig) deployapi.DeploymentConfigList {
 	return deployapi.DeploymentConfigList{
 		Items: dcs,
@@ -479,6 +500,7 @@ func TestImagePruning(t *testing.T) {
 		rcs                        kapi.ReplicationControllerList
 		bcs                        buildapi.BuildConfigList
 		builds                     buildapi.BuildList
+		dss                        kapisext.DaemonSetList
 		dcs                        deployapi.DeploymentConfigList
 		limits                     map[string][]*kapi.LimitRange
 		expectedImageDeletions     []string
@@ -634,6 +656,15 @@ func TestImagePruning(t *testing.T) {
 			expectedImageDeletions: []string{},
 		},
 
+		"referenced by daemonset - don't prune": {
+			images: imageList(
+				image("sha256:0000000000000000000000000000000000000000000000000000000000000000", registryHost+"/foo/bar@sha256:0000000000000000000000000000000000000000000000000000000000000000"),
+				image("sha256:0000000000000000000000000000000000000000000000000000000000000001", registryHost+"/foo/bar@sha256:0000000000000000000000000000000000000000000000000000000000000001"),
+			),
+			dss: dsList(ds("foo", "rc1", registryHost+"/foo/bar@sha256:0000000000000000000000000000000000000000000000000000000000000000")),
+			expectedImageDeletions: []string{"sha256:0000000000000000000000000000000000000000000000000000000000000001"},
+		},
+
 		"referenced by bc - sti - ImageStreamImage - don't prune": {
 			images: imageList(image("sha256:0000000000000000000000000000000000000000000000000000000000000000", registryHost+"/foo/bar@sha256:0000000000000000000000000000000000000000000000000000000000000000")),
 			bcs:    bcList(bc("foo", "bc1", "source", "ImageStreamImage", "foo", "bar@sha256:0000000000000000000000000000000000000000000000000000000000000000")),
@@ -1143,6 +1174,7 @@ func TestImagePruning(t *testing.T) {
 			RCs:         &test.rcs,
 			BCs:         &test.bcs,
 			Builds:      &test.builds,
+			DSs:         &test.dss,
 			DCs:         &test.dcs,
 			LimitRanges: test.limits,
 			RegistryURL: &url.URL{Scheme: "https", Host: registryHost},
@@ -1389,6 +1421,7 @@ func TestRegistryPruning(t *testing.T) {
 			RCs:              &kapi.ReplicationControllerList{},
 			BCs:              &buildapi.BuildConfigList{},
 			Builds:           &buildapi.BuildList{},
+			DSs:              &kapisext.DaemonSetList{},
 			DCs:              &deployapi.DeploymentConfigList{},
 			RegistryURL:      &url.URL{Scheme: "https", Host: "registry1.io"},
 		}
@@ -1447,6 +1480,7 @@ func TestImageWithStrongAndWeakRefsIsNotPruned(t *testing.T) {
 	rcs := rcList()
 	bcs := bcList()
 	builds := buildList()
+	dss := dsList()
 	dcs := dcList()
 
 	options := PrunerOptions{
@@ -1456,6 +1490,7 @@ func TestImageWithStrongAndWeakRefsIsNotPruned(t *testing.T) {
 		RCs:     &rcs,
 		BCs:     &bcs,
 		Builds:  &builds,
+		DSs:     &dss,
 		DCs:     &dcs,
 	}
 	keepYoungerThan := 24 * time.Hour

pkg/oc/admin/prune/images.go

@@ -15,6 +15,7 @@ import (
 	"time"
 
 	"github.com/spf13/cobra"
+	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	knet "k8s.io/apimachinery/pkg/util/net"
 	restclient "k8s.io/client-go/rest"
@@ -261,6 +262,14 @@ func (o PruneImagesOptions) Run() error {
 		return err
 	}
 
+	allDSs, err := o.KubeClient.Extensions().DaemonSets(o.Namespace).List(metav1.ListOptions{})
+	if err != nil {
+		if !kerrors.IsForbidden(err) {
+			return err
+		}
+		fmt.Fprintf(os.Stderr, "Failed to list daemonsets: %v\n - * Make sure to update clusterRoleBindings.\n", err)
+	}
+
 	allDCs, err := o.AppsClient.DeploymentConfigs(o.Namespace).List(metav1.ListOptions{})
 	if err != nil {
 		return err
@@ -332,6 +341,7 @@ func (o PruneImagesOptions) Run() error {
 		RCs:                allRCs,
 		BCs:                allBCs,
 		Builds:             allBuilds,
+		DSs:                allDSs,
 		DCs:                allDCs,
 		LimitRanges:        limitRangesMap,
 		DryRun:             o.Confirm == false,